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DELEGATED ADMINISTRATION OF 
INFORMATION IN A DATABASE DIRECTORY 
USING AT LEAST ONE ARBITRARY GROUP OF 

USERS 



CROSS REFERENCE TO RELATED APPLICATIONS 

This application claims the benefit of U.S. Provisional Application 
Serial No. 60/241,645 filed on October 19, 2000, and entitled "Approach And Design 
For Software To Facilitate Delegated Administration Of Information In A Database 
5 Directory," which is incorporated by reference herein in its entirety. 

BACKGROUND OF THE INVENTION 

This disclosure relates generally to community-based computer 
services and more particularly to administration of community-based computer 
services using at least one arbitrary grouping of users. 

10 Generally, a community is a group of people who typically share a 

common interest. With the advent of the Internet and e-commerce, many companies 
are forming communities through intranets and extranets, for employees, suppliers, 
partners and clients. The communities make it easier and less expensive for the 
employees, suppliers, partners and clients to work together. In the context of 

15 computer services, these people are known as computer users or simply users. 
Information on each of the users in the communities is stored in a broad range of 
directories and databases. The information may comprise the user's name, location, 
telephone number, organization, login identification, password, etc. Other 
information may comprise the user's access privileges to resources such as 

20 applications and content. The directories may also store information on the physical 
devices (e.g., personal computers, servers, printers, routers, communication servers, 
etc.) in the networks that support the commimities. Additional information may 
comprise the services (e.g., operating systems, applications, shared-file systems, print 
queues, etc.) available to each of the physical devices. All of the above information is 

25 generally known as community-based computer services. 
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The administration (i.e., the creation, maintenance, modification, 
updating and disabling) of these community-based computer services becomes 
difficult as the communities grow in size and complexity. In many cases, 
administration becomes an almost impossible task, unless a community is subdivided 
5 into more manageable sub-communities. With the creation of these sub-communities, 
it becomes desirable to use a team of administrators who share responsibilities for 
administrating the community by assigning different individuals to administer the sub- 
communities. This type of administration is referred to as delegated administration. 

Currently available administration tools that facilitate delegated 
10 administration do have their drawbacks. For instance, these tools do not provide the 
ability to identify an arbitrary set of users whose management is to be delegated. In 
particular, many tools require delegation of administration to occur based on a strictly 
hierarchical organizational model, where each level of management in the 
organization has authority to administer the people reporting to them. This approach 
1 5 severely limits the ways in which a set of users can be formed and administered. For 
example, a company may have a North American organization and a South American 
organization. Since the currently available administration tools require delegation to 
occur based on a strictly hierarchical organizational model, it would be impossible to 
form a community of technicians for the company that are located from all over the 
20 world. Consequently, it will be difficult, at best, to provide on-line services that are 
targeted for all of the technicians employed by the company and that are located in 
various parts of the world. 

Therefore, there is a need for an administration tool that provides the 
capability to identify many different and arbitrary sets of users whose management is 
25 to be delegated so that administration can be performed for any type of organization or 
community, regardless of its structure. 

BRIEF SUMMARY OF THE INVENTION 

In one embodiment of this disclosure, there is a method, system and 
computer readable medium that stores instructions for instructing a computer system, 
30 to manage user information in a database directory. In this embodiment, the user 
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information is organized according to attribute values assigned to the information. 
The organized user information is specified into at least one arbitrary group of users. 
The user information associated with the at least one arbitrary group of users is then 
managed. 

5 In a second embodiment of this disclosure, there is a method, system 

and computer readable medium that stores instructions for instructing a computer 
system, to provide delegated administration of a user community. In this 
embodiment, the user community is specified into at least one arbitrary group of users. 
An administrative domain is formed from the at least one arbitrary group of users. 
10 Administrative privileges are granted to an administrator for the administrative 
domain. The granted administrative privileges can be delegated to another 
administrator for the administrative domain. 

In a third embodiment of this disclosure, there is a system, method and 
computer readable medium that stores instructions for instructing a computer system, 

15 to enable an administrator to control administration of a user community. In this 
embodiment, user information associated with the user community is provided to an 
administrator. The administrator is prompted to specify the user community into at 
least one arbitrary group of users. The administrator is prompted to form an 
administrative domain from the at least one arbitrary group of users. The 

20 administrator is also prompted to define administrative privileges for the 
administrative domain. The administrative domain and administrative privileges 
defined by the administrator are used to control administration of the user community. 

In another embodiment, there is a user community administration tool 
for managing user information associated with a user commxmity. In the user 
25 community administration tool there is a user group specifying component that 
specifies the user community into at least one arbitrary group of users and a domain 
formation component that forms an administrative domain therefrom. An 
administrative privileges component grants administrative privileges for the 
administrative domain. An information management component manages user 
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information associated with the administrative domain in accordance with the granted 
administrative privileges. 

In still another embodiment, there is a system for managing user 
information associated with a user community. This system comprises a database 
5 directory that contains a plurality of user information. A user community 
administration tool manages the plurality of user information in the database directory. 
The user community administration tool comprises a user group specifying component 
that specifies the user community into at least one arbitrary group of users and a 
domain formation component that forms an administrative domain therefrom. An 
10 administrative privileges component grants administrative privileges for the 
administrative domain. An information management component manages the user 
information associated with the administrative domain in accordance with the granted 
administrative privileges. A computing unit is configured to serve the user 
community administration tool and the database directory. 

1 5 BRIEF DESCRIPTION OF THE DRAWINGS 

Fig. 1 shows a schematic of an example of a user community; 

Fig. 2 shows an example of delegated administration of the user 
community shown in Fig. 1; 

Fig. 3 shows an example of a user community formed from at least one 
20 arbitrary group of users; 

Fig. 4 shows a schematic of a general-purpose computer system in 
which a delegated administration tool that creates and administers at least one 
arbitrary group of users operates; 

Fig. 5 shows a top-level component architecture diagram of the 
25 delegated administration tool that creates and administer at least one arbitrary group of 
users and that operates on the computer system shown in Fig. 4; 
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Fig. 6 shows an architectural diagram of a system for implementing the 
delegated administration tool that creates and administer at least one arbitrary group of 
users shown in Fig. 5; 

Fig. 7 shows a flow chart of the acts performed to create an 
5 administrative domain from at least one arbitrary group of users with the delegated 
administration tool shown in Fig. 5; 

Fig. 8 shows a flow chart describing the acts performed to assign a user 
authority for an administrative domain formed from at least one arbitrary group of 
users with the delegated administration tool shown in Fig. 5; 

10 Fig. 9 shows a flow chart describing various acts performed in editing a 

query rule that is used to specify at least one arbitrary group of users for an 
administrative domain with the delegated administration tool shown in Fig. 5; and 

Figs. 10a- 10c show various screen displays that may be presented to a 
user of the delegated administration tool shown in Fig. 5. 

1 5 DETAILED DESCRIPTION OF THE INVENTION 

Fig. 1 shows a schematic of an example of a user community receiving 
a community of services from a medical services provider. The example shown in 
Fig. 1 is illustrative of the concept of a user community and is not meant to limit this 
disclosure. In Fig. 1, Healthcare Providers A-D are communities that receive 

20 computer-based services from Medical Services Provider X. Examples of such 
computer-based services may comprise medical information, the ability to order 
medical supplies, the ability to schedule patient appointments, the ability to file claims 
for patient services. Other illustrative examples of computer-based services for this 
scenario may comprise benchmarking information, healthcare statistics and access to 

25 downloadable software. The healthcare providers may also want to provide the 
computer-based services to their clients, partners, vendors, suppliers, etc. In Fig. 1, 
Healthcare Provider B provides the computer-based services established from Medical 
Services Provider X to a Local Clinic and Local Hospital with which it has a 
relationship. The computer-based services can also be provided to their employees. 
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In Fig. 1 , the computer-based services are provided to the various departments in the 
Local Hospital such as Cardiology, Radiology, Gastroenterology, Medical Research, 
etc. Similar types of distribution of the computer-based services can be provided for 
the other healthcare providers (i.e., Healthcare Providers A, C and D). 

5 Medical Services Provider X stores information on each of the users in 

the community in a database directory. The information may comprise the user's 
name, location, telephone nimiber, organization, login identification, password, etc. 
Other information may comprise the user's access privileges to certain resources 
provided by Medical Services Provider X such as applications and content. The 

1 0 database directory of Medical Services Provider may also store information on the 
physical devices (e.g., personal computers, servers, printers, routers, communication 
servers, etc.) in the networks that support the communities. Additional information 
stored in the database directory may comprise the services (e.g., operating systems, 
applications, shared-file systems, print queues, etc.) available to each of the physical 

15 devices. 

Since the user community shown in Fig. 1 can be quite large and 
complex, it is desirable to subdivide and delegate administration of these 
communities. Fig. 2 shows an example of delegated administration of the user 
community shovm in Fig. 1. In this example, there is an administrator for each 

20 community that is responsible for managing a variety of activities that include but are 
not limited to modifying user information, updating permissions to certain resources, 
disabling user accounts, creating user accounts and maintaining user accounts. For 
instance, the SuperAdministrator manages the activities for Medical Services Provider 
X; Administrator A manages the activities for the Local Clinic associated with 

25 Healthcare Provider B and the Cardiology department of the Local Hospital; 
Administrator B manages the activities for Healthcare Providers A and B; 
Administrator C manages the activities for Healthcare Provider D; Administrator D 
manages the activities for the Local Hospital associated with Healthcare Provider B, 
the Medical Research departments for the Local Hospital associated with Healthcare 

30 Provider B, as well as the activities for Healthcare Provider C; Administrator E 
manages the activities for the Cardiology and Radiology departments of the Local 
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Hospital associated with Healthcare Provider B; and Administrator F manages the 
activities for the Gastroenterology department of the Local Hospital associated with 
Healthcare Provider B. The extent to which Administrators A-F manage activities 
depends entirely on the type of authority that they have. Other forms of delegated 
5 administration for this example are possible as will be apparent to people skilled in 
the art. 

For purposes of explaining the delegated administration provided with 
this disclosure, each block (i.e.. Medical Services Provider X, Healthcare Providers A- 
D, Local Clinic, Local Hospital, Cardiology, Radiology, Gastroenterology, Medical 

10 Research) in the user community of Fig. 2 represents an administrative domain. An 
administrative domain is a managed object that comprises a set of users, a set of user 
attributes which can be modified, and a set of allowable values for those data fields 
over which an administrator has authority. Possible examples of user attributes may 
include but are not limited to employer, role or job description, resources that 

15 permission has been granted to access, address and equipment used. Generally, an 
administrator's authority may comprise edit authority and/or delegation authority. An 
administrator has edit authority within the administrative domain when he or she may 
edit certain attributes of the users. An administrator has delegation authority within 
the administrative domain when he or she may define a subset of the users and 

20 identify attributes for modification, in order to create an administrative sub-domain. 
The assignment of the administrative sub-domain to a person is the delegation of that 
domain. The ability to create an administrative sub-domain and to assign that domain 
to a user is delegation authority. Although the authority described in this disclosure 
relates generally to edit authority and delegation authority, one of ordinary skill in the 

25 art will recognize that other types of authority such as view, modify, delete, temporary 
delegation, as well as similar operations, but with limitations on the extent of 
viewable data, are possible as well. These examples of authority can be used in 
addition to, in place of, or in combination with the delegation and edit authority. 

As mentioned above, it is desirable to be able to create communities 
30 based on any user information without regard to structure or format of the underlying 
user data in the database directory. This would enable an administrator to administer 
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user groups formed in many different and arbitrary sets, as opposed to groups that are 
formed from sets that are generally inflexible in definition (e.g., the strictly 
hierarchical organization model). For example, an administrator could administer any 
arbitrary grouping of users according to information such as the users' location, 
5 applications that users have access privileges to, contractual agreements that users 
have executed, etc. 

Fig. 3 shows an example of a user commimity formed from at least one 
arbitrary group of users. In Fig. 3, the user community comprises Radiologists as one 
group, employees of Healthcare Provider B as a second group and employees located 

10 in the state of Wisconsin as a third group. Administrator G is the administrator 
assigned to the three user communities. Assuming that Administrator G has been 
granted at least delegation authority for at least one community (it is possible that 
other types of authority such as edit, view, modify, delete, etc. can be granted), then he 
or she can form an administrative domain from these groups of users. In Fig. 3, the 

1 5 administrative domain formed by Administrator G comprises Radiologists that work 
for Healthcare Provider B in the state of Wisconsin. A crosshatched section in Fig. 3 
represents the administrative domain of Radiologists that work for Healthcare 
Provider B in the state of Wisconsin. Assuming again that Administrator G has 
delegation authority, then he or she can grant administrative privileges for managing 

20 the administrative domain that comprises Radiologists that work for Healthcare 
Provider B in the state of Wisconsin. In Fig. 3, administrator G has assigned 
administrative privileges to Administrator H for the administrative domain that 
comprises of Radiologists that work for Healthcare Provider B in the state of 
Wisconsin. Assuming that Administrator H has been granted at least delegation 

25 authority for this domain from Administrator G, then it is also possible for 
Administrator H to create an administrative sub-domain firom the domain of 
Radiologists that work for Healthcare Provider B in the state of Wisconsin by 
specifying an additional arbitrary user group from this domain. The specified 
additional arbitrary user group can be based upon whatever user attributes are desired 

30 without regard to structure or format of the underlying user data. For example. 
Administrator H could create a sub-domain for radiologists who are board certified. 
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work in Madison, Wisconsin, and work for Healthcare Provider B. Then 
Administrator H could grant administrative privileges to another administrator for this 
sub-domain if desired. The example shown in Fig. 3 is illustrative of the concept of 
creating a user community, administrative domain or sub-domain from at least one 
5 arbitrary group of users and is not meant to limit this disclosure. 

As an example, the above-described delegated administration 
capabilities for creating and administering at least one arbitrary group of users can be 
implemented in software. Fig, 4 shows a schematic of a general-purpose computer 
system 10 in which a delegated administration tool that creates and administers at 

10 least one arbitrary group of users operates. The computer system 10 generally 
comprises at least one processor 12, a memory 14, input/output devices, and data 
pathways (e.g., buses) 16 connecting the processor, memory and input/output devices. 
The processor 12 accepts instructions and data from the memory 14 and performs 
various calculations. The processor 12 includes an arithmetic logic unit (ALU) that 

1 5 performs arithmetic and logical operations and a control unit that extracts instructions 
from memory 14 and decodes and executes them, calling on the ALU when necessary. 
The memory 14 generally includes a random-access memory (RAM) and a read-only 
memory (ROM); however, there may be other types of memory such as programmable 
read-only memory (PROM), erasable programmable read-only memory (EPROM) and 

20 electrically erasable programmable read-only memory (EEPROM). Also, the memory 
14 preferably contains an operating system, which executes on the processor 12. The 
operating system performs basic tasks that include recognizing input, sending output 
to output devices, keeping track of files and directories and controlling various 
peripheral devices. 

25 The input/output devices may comprise a keyboard 18 and a mouse 20 

that enter data and instructions into the computer system 1 0. Also, a display 22 may 
be used to allow a user to see what the computer has accomplished. Other output 
devices may include a printer, plotter, synthesizer and speakers. A communication 
device 24 such as a telephone or cable modem or a network card such as an Ethernet 

30 adapter, local area network (LAN) adapter, integrated services digital network (ISDN) 
adapter, or Digital Subscriber Line (DSL) adapter, that enables the computer system 
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10 to access other computers and resources on a network such as a LAN or a wide 
area network (WAN). A mass storage device 26 may be used to allow the computer 
system 10 to permanently retain large amounts of data. The mass storage device may 
include all types of disk drives such as floppy disks, hard disks and optical disks, as 
5 well as tape drives that can read and write data onto a tape that could include digital 
audio tapes (DAT), digital linear tapes (DLT), or other magnetically coded media. 
The above-described computer system 10 can take the form of a hand-held digital 
computer, personal digital assistant computer, notebook computer, personal computer, 
workstation, mini-computer, mainframe computer or supercomputer. 

10 Fig. 5 shows a top-level component architecture diagram of a delegated 

administration tool 28 that can create and administer at least one arbitrary group of 
users and that operates on the computer system 10 shown in Fig. 4. The delegated 
administration tool 28 comprises a user group specifying component 29 that enables 
an administrator to specify at least one arbitrary group of users for a user commvinity 

15 such as the one shown in Fig. 3. Each arbitrary group of users that is specified has 
attributes associated with each of its users and allowable values of these attributes. 
The administrator via the user group specifying component 29 uses combinations of 
possible attribute values for each of the users as criteria for specifying the at least one 
arbitrary group of users. The specified at least one arbitrary group of users can be 

20 based upon whatever user attributes are desired by the administrator without regard to 
structure or format of the underlying user data. For example, referring to Fig. 3, an 
administrator can use the user group specifying component 29 to utilize user attributes 
and values such as employer (Healthcare Provider B), job description (radiologist) and 
address (Wisconsin) to form a user community. 

25 The user group specifying component 29 forms the at least one 

arbitrary group of users through a query rule constructed by the administrator to query 
a database directory containing user information. The query rule defines the users 
within the at least one arbitrary group of users. Since the database directory may not 
be organized according to the desired grouping of users because of variables such 

30 cross-functionalities of users, different locations of users, etc., the query rule aids the 
administrator in specifying the at least one arbitrary group of users. The formation of 
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the at least one arbitrary group of users is dynamic because user data in the database 
directory that satisfies the query rule dynamically becomes a managed user within the 
at least one arbitrary group of users in real-time. That is, the at least one arbitrary 
group of users is formed on demand by execution of the query. Thus, if any new user 
5 is added to the database directory and his or her data would result in satisfying the 
query rule, then that user dynamically becomes a managed user within the domain 
formed from the at least one arbitrary group of users in real-time. Alternatively, if a 
user is removed from the database directory, then that user is dynamically and in real- 
time excluded as a managed user for the domain formed from the at least one arbitrary 
10 group of users. The dynamic formation of the at least one arbitrary group of users 
enables an administrator to determine who is currently in the administrative domain 
formed from the at least one arbitrary user group and who is not. 

A domain formation component 30 enables an administrator to form a 
user community, administrative domain or administrative sub-domain from the 
15 specified at least one arbitrary group of users such as the ones shown and described 
with Fig. 3. For example, referring to Fig. 3, the domain formation component 30 
permits an administrator to form an administrative domain from the at least one 
arbitrary group of users that have user attributes and values that are employed by 
Healthcare Provider B, in the state of Wisconsin, as radiologists. 

20 The delegated administration tool 28 also comprises an administrative 

privileges component 32. The administrative privileges component 32 enables an 
administrator to grant administrative privileges for an administrative domain or 
administrative sub-domain that he or she has authority for in accordance with the 
above-described manner. The granted administrative privileges may comprise at least 

25 one of delegation authority and edit authority. As mentioned above, it is also possible 
to grant other types of authority such as view, modify, delete, temporary delegation, 
etc. These examples of authority can be used in addition to, in place of, or in 
combination with the delegation and edit authority. 

The administrative privileges component 32 also enables an 
30 administrator to define which users in an administrative domain or sub-domain that he 
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or she operates and has authority for will have the granted administrative privileges. 
More specifically, an administrator can use this component to define various 
administrators for their operational domain by assigning delegation authority, edit 
authority or other types to a particular user. Administrators with delegation authority 
5 can also use the user group specifying component 29, domain formation component 
30 and administrative privileges component 32 to form sub-domains from an 
additional group of users for their operational domain by constructing a query rule, 
defining administrative privileges for these newly formed sub-domains and defining 
who v^ll have delegation authority, edit authority or other types for these sub- 

10 domains. As long as an administrator has delegation authority in a particular domain, 
it is possible to continue to use the user group specifying component 29, domain 
formation component 30 and administrative privileges component 32 to create a sub- 
domain from at least one arbitrary group of users using a query rule and delegate 
administration for the sub-domain that he or she operates in. For instance, using an 

1 5 earlier example. Administrator H could create a sub-domain for radiologists who are 
board certified, work in Madison, Wisconsin, and work for Healthcare Provider B. 
Assuming that Administrator H has delegation authority, he or she can grant 
administrative privileges to other administrators if desired for this sub-domain. An 
administrator that is assigned delegation authority for this sub-domain can continue to 

20 create an additional sub-domain (e.g., board-certified radiologists working in 
Madison, Wisconsin, for Healthcare Provider B, that are trained to use X-ray Scanner 
Z) of the current domain and grant authority for it to another administrator. It is 
possible to continue to an arbitrary level with respect to an administrator's working 
domain. 

25 The delegated administration tool 28 also comprises an information 

management component 36 that manages information associated with each of the 
administrative domains in accordance with the delegated administrative privileges. 
Depending on the type of authority delegated, an administrator can use the 
information management component 36 to edit, view or delete specific attributes for a 

30 user in a domain. The information management component 36 is not limited to these 
functions and may perform other functions such as generating reports (e.g., reports on 
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all users within a domain), analyzing data (e.g., determining how frequently some 
types of data change), performing statistical analysis or allowing users to perform self- 
administration on certain attributes (e.g., phone number, e-mail address, passwords, 
etc.). 

5 The delegated administration tool 28 is not limited to a software 

implementation. For instance, the user group specifying component 29, domain 
formation component 30, administrative privileges component 32 and the information 
management component 36 may take the form of hardware or firmware or 
combinations of software, hardware, and firmware. 

10 In addition, the delegated administration tool 28 is not limited to the 

user group specifying component 29, domain formation component 30, administrative 
privileges component 32 and information management component 36. One of 
ordinary skill in the art will recognize that the delegated administration tool 28 may 
have other components. For example, the delegated administration tool 28 could also 

1 5 include a workflow component that manages processes surrounding user creation and 
administration. Also, the delegated administration tool 28 could include a reporting 
component that reports usage statistics, error conditions, etc. There could also be a 
transactional management component that performs transactions using 2-phase 
commit/rollback. Still another component that the delegated administration tool 28 

20 could include is a browsing component for viewing information associated with the 
hierarchy of administrative domains. 

Fig. 6 shows an architectural diagram of a system 38 for implementing 
the delegated administration tool shown in Fig. 5. Fig. 6 shows that there are several 
ways of accessing the delegated administration tool 28. A computing unit 40 allows 

25 an administrator to access the delegated administration tool 28. The administrator 
could be the SuperAdministrator or administrators with delegation authority, edit 
authority or other types of authority. Also, users in the domain may access the 
delegated administration tool 28 through a computing unit 40 to perform some basic 
self-administration. The computing unit 40 can take the form of a hand-held digital 

30 computer, personal digital assistant computer, notebook computer, personal computer 
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or workstation. The administrators and users use a web browser 42 such as Microsoft 
INTERNET EXPLORER or Netscape NAVIGATOR to locate and display the 
delegated administration tool 28 on the computing unit 40. A communication 
network such as an electronic or wireless network connects the computing unit 40 to 
5 the delegated administration tool 28. Fig. 6 shows that the computing units 40 may 
connect to the delegated administration tool 28 through a private network 44 such as 
an extranet or intranet or a global network 46 such as a WAN (e.g., Internet). As 
shown in Fig. 6, the delegated administration tool 28 resides in a server 48, which 
comprises a web server 50 that serves the delegated administration tool 28 and a 

10 database directory 52 (or directories) that contains the various information for the 
users in all of the domains that form the community. However, the delegated 
administration tool does not have to be co-resident with the server 48. If desired, the 
system 38 may have functionality that enables authentication and access control of 
users accessing the delegated administration tool 28. Both authentication and access 

15 control can be handled at the web server level by the delegated administration tool 28 
itself, or by commercially available packages such as Netegrity SITEMINDER. 

The information in the database directory 52 as mentioned above may 
comprise information such as the user's name, location, telephone number, 
organization, login identification, password, etc. Other information may comprise the 

20 user's access privileges to certain resources such as applications and content. The 
database directory 52 may also store information on the physical devices (e.g., 
personal computers, servers, printers, routers, communication servers, etc.) in the 
networks that support the communities. Additional information stored in the database 
directory 52 may comprise the services (e.g., operating systems, applications, shared- 

25 file systems, print queues, etc.) available to each of the physical devices. The 
database directory 52 can take the form of a lightweight directory access protocol 
(LDAP) database; however, other directory type databases with other types of schema 
can be used with the delegated administration tool 28, including relational databases, 
object-oriented databases, flat files, or other data management systems. 

30 Using the system 38 shown in Fig. 6, an administrator such as a 

SuperAdministrator or an administrator with delegation or edit authority can use the 
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delegated administration tool 28 to administer a community using at least one 
arbitrary group of users. Also, users of the community can use the delegated 
administration tool 28 to perform some self-administration. Fig. 7 shows a flow chart 
describing the acts performed to create an administrative domain from at least one 
5 arbitrary group of users with the delegated administration tool 28. To create an 
administrative domain, the user must be either a SuperAdministrator or an 
administrator having delegation authority. At block 54, the SuperAdministrator or 
administrator with delegation authority signs in. The sign-in act can include entering 
identity and security information (e.g., a valid usemame and password). The 

10 delegated administration tool validates the usemame and password at 56. The 
delegated administration tool then determines if the user has permission (i.e., the user 
is a SuperAdministrator or administrator with delegation authority) to create an 
administrative domain at 58. If the user is not authenticated or does not have 
permission to create an administrative domain, then the user is not allowed to create a 

15 domain. 

At 60, the user identifies attributes that can be handled for the 
administrative domain. As mentioned above, attributes comprise any data, which 
describe information about a user (e.g., employer, job description, resources that 
permission has been granted to access, address, equipment used, etc.). If desired, 

20 some of the attributes can be restricted. For example, a coimtry attribute can be 
restricted to a limited set of country abbreviations. For instance, in order to represent 
the countries United States, Canada and Mexico, a set of values can be defined such 
as USA, CAN or MEX, respectively. For some of these kinds of restricted attributes, 
it may be desirable to have the restricted attributes appear in the display to the user in 

25 the form of a pull-down menu. All of the attributes that are identified can then be 
viewed, edited or deleted at a subsequent time. At 62, the user assigns allowable 
values for these identified attributes where needed. 

Next, the user specifies at least one arbitrary group of users using 
attribute values or combinations of these values that are associated with users in a user 
30 community. In particular, the user constructs a query rule at 64 to obtain the at least 
one arbitrary group of users specified for the administrative domain from the database 
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directory. The results of the query define the members of the groups of users in the 
community or domain. After the query rule has been constructed, the community or 
domain is formed at 65. Next, the database directory is updated at 66 with the data for 
the newly created administrative domain. If an administrator with delegation 
5 authority wants to create another domain from their operational domain, then blocks 
58-66 are repeated. Otherwise, any time a SuperAdministrator or an administrator 
with delegation authority desires to create an administrative domain for their 
operational domain, then blocks 54 through 66 are repeated. Note that a 
SuperAdministrator for a user community can perform any function to an 
10 administrative domain that he or she desires such as create, modify, delete, view, etc. 

Fig. 8 shows a flow chart describing the acts performed to assign a user 
delegation authority, edit authority or other types of authority for a domain. The only 
users that can assign delegation authority and/or edit authority are either a 
SuperAdministrator or an administrator having delegation authority. If the 

15 SuperAdministrator or administrator having delegation authority has not already 
logged onto the delegated administration tool, then he or she must sign in at 68. The 
delegated administration tool validates the usemame and password at 70. 
Alternatively, if the SuperAdministrator or administrator having delegation authority 
has already logged onto the delegated administration tool, then blocks 68-70 may be 

20 bypassed. The delegated administration tool determines which domains the user has 
delegation authority over, if any at 72. Thus, if the user is an administrator with 
delegation authority, then he or she will have permission to assign delegation 
authority and/or edit authority for their assigned domains. 

At 73, the SuperAdministrator or administrator with delegation 
25 authority selects a particular administrative domain to operate in. The 
SuperAdministrator or administrator with delegation authority may select the 
administrative domain by inputting the desired domain or a string that describes the 
domain, or using a combination of both. One of ordinary skill in the art will recognize 
that there are other input techniques that can be used to select a domain. At 74, the 
30 SuperAdministrator or administrator with delegation authority searches for users in 
the database directory that satisfy search criteria that have been formulated. The 
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delegated administration tool parses and formats the search results and presents the 
results to the user at 76. The SuperAdministrator or administrator with delegation 
authority then selects a single user from the results for assigning authority to that 
person at 78. The SuperAdministrator or administrator with delegation authority then 
5 selects a sub-domain of the active domain for which authority will be assigned to that 
user at 79. Then the SuperAdministrator or administrator with delegation authority 
selects the type of authority (i.e., delegation authority, edit authority or other types of 
authority) that will be assigned at 80. If desired, the SuperAdministrator or 
administrator with delegation authority may set an expiration date for the assigned 
10 authority. After the authority has been assigned, the database directory is updated at 
82 with this data. Thus, any time an administrator with delegation authority desires to 
delegate authority of an assigned administrative domain to another user, then at least 
blocks 73 through 82 are repeated. 

Fig. 9 shows a flow chart describing various acts performed in editing a 
15 query rule for specifying at least one arbitrary group of users for an administrative 
domain or sub-domain. The only users that can edit a query rule for a particular 
domain are a SuperAdministrator and an administrator with delegation authority in the 
operational domain that includes the particular domain. If the SuperAdministrator or 
the administrator with delegation authority has not already logged onto the delegated 
20 administration tool, then he or she must sign in at 100. The delegated administration 
tool validates the usemame and password at 102. Alternatively, if the 
SuperAdministrator or the administrator with delegation authority has already logged 
onto the delegated administration tool, then blocks 100-102 may be bypassed. The 
delegated administration tool then determines which domains if any that the user has 
25 delegation authority over at 104. Thus, if the user is an administrator with delegation 
authority then he or she will have permission to edit a query rule for any sub-domains 
of their assigned domains. 

At 106, the SuperAdministrator or administer with delegation authority 
selects a particular administrative domain that contains the query rule that he or she 
30 would like to edit and that they have authority to do so. Generally, at this block the 
SuperAdministrator or administrator with delegation authority inputs the domain 

-17- 



RD-28,534 



name and/or a string that describes the domain. The delegated administration tool 
displays the current query rule associated with the at least one arbitrary group of users 
for the domain at 108. The SuperAdministrator or administrator with delegation 
authority then edits the query rule as desired at 1 10. The delegated administration tool 
5 parses and interprets the changes and updates the database directory at 1 12 with this 
data. 

The foregoing flow charts of this disclosure show the functionality and 
operation of the delegated administration tool. In this regard, each block represents a 
module, segment, or portion of code, which comprises one or more executable 

10 instructions for implementing the specified logical function(s). It should also be noted 
that in some altemative implementations, the functions noted in the blocks may occur 
out of the order noted in the figures or, for example, may in fact be executed 
substantially concurrently or in the reverse order, depending upon the functionality 
involved. Also, one of ordinary skill in the art will recognize that additional blocks 

15 may be added. Furthermore, the functions can be implemented in programming 
languages such as C++ or JAVA; however, other languages can be used. 

Figs. 10a- 10c show various screen displays that may be presented to a 
user of the delegated administration tool shown in Fig. 5. These screen displays are 
for illustrative purposes only and are not exhaustive of other types of displays. Also, 

20 the actual look and feel of the displays can be slightly or substantially ch£tnged during 
implementation. Figs. 10a- 10b show screen displays that may be presented to a user 
after he or she logs into the delegated administration tool 28 and is interested in 
adding an administrative domain from at least one arbitrary group of users. In 
particular. Fig. 10a shows a screen display that enables a user to create or edit an 

25 administrative domain from at least one arbitrary group of users. In Fig. 10a, the user 
identifies the administrative domain name and attributes that can be handled for the 
domain. Fig. 10b shows a screen display that enables a user to construct or edit a 
query rule for specifying the at least one arbitrary group of users for forming an 
administrative domain or sub-domain. Each query rule on a line comprises an 

30 attribute field for searching, an operator such as "equal to", "less than", "greater than", 
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"less than or equal to", "greater than or equal to", "not equal to", "contains", "does not 
contain", "excludes", or "does not exclude"; a field for specifying a string or pattern 
for searching the designated attribute; and another operator such as "AND", or "OR" 
for coupling this particular query rule to any other rules. One of ordinary skill in the 
5 art will recognize that other fields and additional attribute operators can be used to 
construct a query rule. The screen display in Fig. 10b also presents the user with the 
option of constructing his or her own custom-made query rule. Constructing a 
custom-made query rule can be achieved by using Boolean logic, a natural language 
query or an SQL query. 

10 Fig. 10c shows a screen display that may be presented to a user after he 

or she logs into the delegated administration tool 28 and is interested in assigning 
delegation authority, edit authority or any other type of authority. In Fig. 10c, the user 
has selected a particular user for delegating administration and identifies the 
administrative domain name and the type of authority (e.g., delegation authority 

15 and/or edit authority) that the user will have over that domain. In addition, an 
expiration date for the assigned administrative domain and authority can be 
designated. Note that more than one administrative domain can be assigned to a user. 
Similarly, more than one user may be assigned to a domain. The selections for the 
domain name, the type of authority and expiration date appear in Fig. 10c as puU- 

20 down menus; however, other options for inputting data may be used if desired. 

The above-described delegated administration tool comprises an 
ordered listing of executable instructions for implementing logical functions. The 
ordered listing can be embodied in any computer-readable medium for use by or in 
connection with a computer-based system that can retrieve the instructions and 

25 execute them. In the context of this application, the computer-readable medium can 
be any means that can contain, store, communicate, propagate, transmit or transport 
the instructions. The computer readable medium can be an electronic, a magnetic, an 
optical, an electromagnetic, or an infrared system, apparatus, or device. An 
illustrative, but non-exhaustive list of computer-readable mediums can include an 

30 electrical connection (electronic) having one or more wires, a portable computer 
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diskette (magnetic), a random access memory (RAM) (magnetic), a read-only memory 
(ROM) (magnetic), an erasable programmable read-only memory (EPROM or Flash 
memory) (magnetic), an optical fiber (optical), and a portable compact disc read-only 
memory (CDROM) (optical). 

Note that the computer readable medium may comprise paper or 
another suitable medium upon which the instructions are printed. For instance, the 
instructions can be electronically captured via optical scanning of the paper or other 
medium, then compiled, interpreted or otherwise processed in a suitable manner if 
necessary, and then stored in a computer memory. 

It is apparent that there has been provided in accordance with this 
invention, a delegated administration tool. While the invention has been particularly 
shown and described in conjunction with a preferred embodiment thereof, it will be 
appreciated that variations and modifications can be effected by a person of ordinary 
skill in the art without departing from the scope of the invention. 
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